SCEP and NPS RRS feed

  • Question

  • Hello,

    Aim: Windows 10 devices, enrolled using intune, will get wifi, root and scep profiles. The permanent wifi will be to a Meraki Access Point which authenticates against my RADIUS server (NPS).

    At the moment it seems that all the profiles are deployed correctly, root CA's are on the devices trusted certs, the wifi profile is there and according to Intune (and the CA) the SCEP certificate has been issued... but question number 1:

    1. How can I check on the device that the SCEP certificate is on it?

    My only problem now is that when I try and connect to the Access Points SSID which authenticates against my NPS server I get a failure in that its expecting a certificate. If I check the NPS logs - I can see that an attempt is made to connect but rejected with event ID: 6273, reason code 8 (the specified user account does not exist).

    NPS is setup for EAP-TLS authentication (certiifcates only), NPS has a server certificate and all with trust to the chained root CA.

    Any pointers on where I may have gone wrong?

    Tuesday, May 14, 2019 7:49 PM

All replies

  • If you don’t have access to the physical device to check the certificate store (using Mmc), then on the certificate connector server there should be a log called NDESConnector_Date.svclog. You can see if it issued the certificate to the device. Check this link at the very bottom for how to view and open the log
    Tuesday, May 14, 2019 8:59 PM
  • Hi, thanks for the reply.

    I have got access to the device.... but my understanding was scep certificates are saved to the TPM and are therefore not visible via mmc certificate snap-in?

    Wednesday, May 15, 2019 4:57 AM
  • Sorry, you're correct. Can you confirm in the log mentioned above that the certificate was handed out?
    Wednesday, May 15, 2019 5:45 AM
  • Hi Nick,

    I have checked that log and everything looks correct.

    I have also checked the CA and the certificate is "Issued".

    However, within Intune, under the SCEP profile --> Certificates. The certificate has a "certificate status" as None.

    Wednesday, May 15, 2019 8:42 AM
  • Wednesday, May 15, 2019 9:03 AM
  • Hi,

    Is it a user or device based cert? If it is device based, are the devices only AAD joined (not joined to local domain)? NPS is not able to authenticate AAD joined devices, since when autnentication is made, it queries AD for the computer object, if its not found the error "the specified user account does not exist" is returned. 

    If the above is the case, your option is to use user-based cert (since user accounts exists in AD) or a third-party NPS. 

    Wednesday, May 15, 2019 9:52 AM
  • That's not correct. TPMs store the private key, not the certificate and this is contingent upon what is chosen in the SCEP profile. See

    Jason | | @jasonsandys

    Wednesday, May 15, 2019 4:06 PM
  • Let me try and explain in more detail -

    I'm using AAD for users and devices.

    However, my SCEP / NPS solution (and PKI) is completely separate to that on it's own local AD (on vm).

    During device enrolment the device gets the scep, root and wifi profiles and therefore the device gets:

    1. the ROOT cert in trusted certs (confirmed on device)

    2. Wifi profile (confirmed on device)

    3. SCEP certificate (confirmed that its issued and NDES logs suggest everything is ok with delivery, but unable to confirm in device).

    I then have a Meraki AP which is configured to authenticate against my RADIUS server (NPS , which is on same domain  as my SCEP / PKI Infratructure). 

    NPS is set up for EAP -TLS profiles.

    Therefore when the device tries to connect to the SSID on Meraki it should authenticate using the certificate issued by SCEP.

    Wednesday, May 15, 2019 6:49 PM
  • Jason - so do you think I should be seeing the public key in my personal certificates store?
    Wednesday, May 15, 2019 9:19 PM
  • Certificates contain public keys so yes, you should be seeing the cert. Which store are you checking? The Personal store of the local computer?

    Jason | | @jasonsandys

    Wednesday, May 15, 2019 9:27 PM
  • Well.... I checked both the user and local computer cert stores previously and there was nothing, however, having just checked I can now see them appearing... I guess I must of corrected something along the way.

    OK, so now my situation is:

    Using Device certificate (SCEP profile):

    Client error when attempting to connect to SSID - You need a certificate to connect.

    NPS error - event ID: 6273, reason code 8 (the specified user account does not exist)

    Using User certificate (SCEP profile):

    Client error when attempting to connect to SSID - Unable to connect to this network.

    NPS error - event ID: 6273, reason code 7 (the specified domain does not exist)

    I can understand this one as the user is on a different domain to the NPS server... but can't understand the device cert error.

    Thursday, May 16, 2019 8:53 AM
  • Hi mlawton, im facing the same issue. ever got this device certificate auth problem resolved for wifi auth ?
    Tuesday, June 18, 2019 6:27 PM
  • Hi Mlawton,

    If you are using AADJ only devices in your environment and you trying to authenticate based on a device instead of user, then you got a problem with NPS. NPS doesn't support device authentication with AADJ devices. You can then only use user authentication. 

    If you enrolling the device certificates via a SCEP profile you should see an issued certificate on the device under Local Computer\Personal\Certificates. For the user certificate, you should see the certificate under My User/User account.  You can also check the CA which certificate is issued. 
    If you don't see any certificates on the device then you got a problem with the SCEP profile, NDES or the CA itself. Check the log on the NDES server for more information. 


    Wednesday, June 19, 2019 9:59 AM
  • Hoi Albert

    (alles goed? ;-) ) 

    Is this something you experience or can you share article/support statement that this does not work and what would be a workaround for this?


    Wednesday, June 19, 2019 10:54 AM
  • Hoi Dirk Verhagen!

    (Ja, alles gaat goed hier en met jou? =D)

    Based on experience and some research on the Internet about his phenomenon. There isn't, unfortunately, an article about this. There are only some discussions, like here on Technet, about this problem. 
    You can do only 2 things: 1) change authentication to user authentication. 2) Hybrid Azure AD join scenario. There are also third-party solutions for this, but they are also using user authentication, like CISCO ISE and Clearpass. 

    The thing here is, that NPS is an on-premises solution. NPS works only with on-premises Active Directory and will verify with the on-prem AD. NPS has no relation with Azure AD. To verify the device, it will look in the on-prem AD for the computer object. There is a workaround to fake the authentication process by creating a new (empty) computer object and set some SPN for that specific device, but unmanageable in a later stadium. 

    • Edited by Albert Neef Wednesday, June 19, 2019 11:30 AM
    Wednesday, June 19, 2019 11:26 AM
  • Ja, ook goed lekker bezig :)

    I was afraid of that , it only works in on-prem AD.

    Do you know/or tried Device Writeback option in AD Connect , does it work ?

    This way you dont have to create the device in AD (but the device name is different in AAD then in AD probably.

    PS. heb je het artikel naar het computer object maken + SPN ?

    Wednesday, June 19, 2019 1:09 PM
  • Device writeback is only for conditional access in combination with ADFS and for hybrid Windows Hello for Business. Device writeback won't work with NPS. During the device writeback action, only the GUID of the Azure AD joined device will be written in the Active Directory. It's not the complete computer object which is written to the Active Directory. 

    I found this discussion on Technet:
    There are 2 methods to "workaround" this problem. 
    Thursday, June 20, 2019 6:44 AM